Skip to main content

lacework-global-393

ElastiCache clusters should not use the default subnet group (Automated)

Description

When you launch an ElastiCache cluster without providing a custom subnet group, AWS automatically creates a default subnet group instead. The default group uses subnets from the default Virtual Private Cloud (VPC).

You should use more restrictive custom subnet groups for the subnets where your cluster resides, and the networking that the cluster inherits from the subnets.

Remediation

From the AWS Console:

  1. Log in to the AWS Management Console.
  2. Click Services.
  3. Select Database > ElastiCache.
  4. Under Configurations, click Subnet groups.
  5. Click Create subnet group.
  6. Configure the group as required, and click Create.
  7. Under Resources, click Redis caches.
  8. Click Create Redis cache.
  9. Under Connectivity, select the newly created subnet group.
  10. Make any further changes, then click Create.

From CLI:

Create a new subnet group:

aws elasticache create-cache-subnet-group --cache-subnet-group-name <subnet_group_name> --cache-subnet-group-description <description> --subnet-ids <list_of_subnet_ids>

Recreate the ElastiCache cluster with the new subnet group assigned:

aws elasticache create-cache-cluster --cache-cluster-id <cluster_id> --cache-subnet-group-name <subnet_group_name> --apply-immediately

References

https://docs.aws.amazon.com/securityhub/latest/userguide/elasticache-controls.html#elasticache-7
https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/SubnetGroups.Creating.html

Last updated on